GNU bug report logs

#49817 [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].

PackageSource(s)Maintainer(s)
guix-patches PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to guix-patches@gnu.org:
bug#49817; Package guix-patches. (Sun, 01 Aug 2021 22:33:01 GMT) (full text, mbox, link).

Acknowledgement sent to Leo Famulari <leo@famulari.name>:
New bug report received and forwarded. Copy sent to guix-patches@gnu.org. (Sun, 01 Aug 2021 22:33:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
Date: Sun, 1 Aug 2021 18:31:44 -0400
CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
WAV file."

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

* gnu/packages/pulseaudio.scm (libsndfile)[replacement]: New field.
(libsndfile/fixed): Rename to ...
(libsndfile/propagate-dependencies): ... new variable. Use package/inherit.
(libsndfile/fixed): Recreate variable to provide a grafted update to 1.1.0beta1.
* gnu/packages/music.scm (liquidsfz)[inputs]: Replace libsndfile/fixed with
libsndfile/propagate-dependencies.
---
 gnu/packages/music.scm      |  2 +-
 gnu/packages/pulseaudio.scm | 50 ++++++++++++++++++++++++++++++++++---
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/gnu/packages/music.scm b/gnu/packages/music.scm
index 9c69204610..b137eb397b 100644
--- a/gnu/packages/music.scm
+++ b/gnu/packages/music.scm
@@ -4879,7 +4879,7 @@ audio samples and various soft sythesizers.  It can receive input from a MIDI ke
      `(("jack" ,jack-2)
        ("lv2" ,lv2)
        ("readline" ,readline)
-       ("libsndfile" ,libsndfile/fixed)))
+       ("libsndfile" ,libsndfile/propagate-dependencies)))
     (home-page "https://github.com/swesterfeld/liquidsfz")
     (synopsis "Sampler library")
     (description "The main goal of liquidsfz is to provide an SFZ sampler
diff --git a/gnu/packages/pulseaudio.scm b/gnu/packages/pulseaudio.scm
index 639d33fb60..8c2f692e5b 100644
--- a/gnu/packages/pulseaudio.scm
+++ b/gnu/packages/pulseaudio.scm
@@ -45,6 +45,7 @@
   #:use-module (gnu packages)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages audio)
+  #:use-module (gnu packages autogen)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages avahi)
   #:use-module (gnu packages boost)
@@ -71,6 +72,7 @@
 (define-public libsndfile
   (package
     (name "libsndfile")
+    (replacement libsndfile/fixed)
     (version "1.0.30")
     (source (origin
              (method url-fetch)
@@ -121,10 +123,52 @@ SPARC.  Hopefully the design of the library will also make it easy to extend
 for reading and writing new sound file formats.")
     (license l:gpl2+)))
 
-;; Remove this on core-updates
 (define-public libsndfile/fixed
-  (package
-    (inherit libsndfile)
+  (hidden-package
+    (package
+      (inherit libsndfile)
+      (name "libsndfile")
+      ; 1.1.0beta1
+      (version "1.1.0b")
+      (source (origin
+               (method git-fetch)
+               (uri (git-reference
+                      (url "https://github.com/libsndfile/libsndfile")
+                      (commit "1.1.0beta1")))
+               (file-name (git-file-name name "1.1.0beta1"))
+               (sha256
+                (base32
+                 "1g2f03jj3vya691pm6m6wingdyn9say9lzndi0p76kdk5jhn3k5z"))
+               (modules '((ice-9 textual-ports) (guix build utils)))
+               (snippet
+                '(begin
+                   ;; Remove carriage returns (CRLF) to prevent bogus
+                   ;; errors from bash like "$'\r': command not found".
+                   (chmod "tests/pedantic-header-test.sh.in" #o644)
+                   (let* ((data (call-with-input-file
+                                  "tests/pedantic-header-test.sh.in"
+                                 (lambda (port)
+                                   (string-join
+                                    (string-split (get-string-all port)
+                                                  #\return))))))
+                     (call-with-output-file "tests/pedantic-header-test.sh.in"
+                       (lambda (port) (format port data))))
+  
+                   ;; While at it, fix hard coded executable name.
+                   (substitute* "tests/test_wrapper.sh.in"
+                     (("^/usr/bin/env") "env"))
+                   #t))))
+      (native-inputs
+       `(("libtool" ,libtool)
+         ("autogen" ,autogen)
+         ("pkg-config" ,pkg-config)
+         ("python" ,python-wrapper)
+         ("autoconf" ,autoconf) 
+         ("automake" ,automake))))))
+
+;; Remove this on core-updates
+(define-public libsndfile/propagate-dependencies
+  (package/inherit libsndfile
     (inputs '())
     (propagated-inputs
      `(("libvorbis" ,libvorbis)
-- 
2.32.0

Information forwarded to guix-patches@gnu.org:
bug#49817; Package guix-patches. (Sun, 02 Apr 2023 13:00:02 GMT) (full text, mbox, link).

Message #8 received at 49817@debbugs.gnu.org (full text, mbox, reply):

From: Bruno Victal <mirai@makinata.eu>
To: Leo Famulari <leo@famulari.name>
Cc: 49817@debbugs.gnu.org
Subject: Re: [bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
Date: Sun, 2 Apr 2023 13:59:16 +0100
Hi Leo,

On 2021-08-01 23:31, Leo Famulari wrote:
> CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
> WAV file."
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246

What's blocking this from being merged?
(Perhaps it's also a chance to plug it into core-updates to avoid adding the variants?)


Cheers,
Bruno

Information forwarded to guix-patches@gnu.org:
bug#49817; Package guix-patches. (Sun, 02 Apr 2023 20:17:01 GMT) (full text, mbox, link).

Message #11 received at 49817@debbugs.gnu.org (full text, mbox, reply):

From: "Leo Famulari" <leo@famulari.name>
To: "Bruno Victal" <mirai@makinata.eu>
Cc: 49817@debbugs.gnu.org
Subject: Re: [bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
Date: Sun, 02 Apr 2023 16:15:58 -0400
Sure, please feel free to add it to core-updates.

I never pushed it because 1) there was no feedback and 2) I no longer understand the patch.

On Sun, Apr 2, 2023, at 08:59, Bruno Victal wrote:
> Hi Leo,
>
> On 2021-08-01 23:31, Leo Famulari wrote:
>> CVE-2021-3246 is "A heap buffer overflow vulnerability in msadpcm_decode_block
>> of libsndfile 1.0.30 allows attackers to execute arbitrary code via a crafted
>> WAV file."
>> 
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3246
>
> What's blocking this from being merged?
> (Perhaps it's also a chance to plug it into core-updates to avoid 
> adding the variants?)
>
>
> Cheers,
> Bruno

Information forwarded to guix-patches@gnu.org:
bug#49817; Package guix-patches. (Mon, 03 Apr 2023 14:23:02 GMT) (full text, mbox, link).

Message #14 received at 49817@debbugs.gnu.org (full text, mbox, reply):

From: Bruno Victal <mirai@makinata.eu>
To: Leo Famulari <leo@famulari.name>
Cc: 49817@debbugs.gnu.org
Subject: Re: [bug#49817] [PATCH] gnu: libsndfile: Update to 1.1.0beta1 [fixes CVE-2021-3246].
Date: Mon, 3 Apr 2023 15:22:41 +0100
On 2023-04-02 21:15, Leo Famulari wrote:
> Sure, please feel free to add it to core-updates.
> 
> I never pushed it because 1) there was no feedback and 2) I no longer understand the patch.

I'm not a committer😅, could you CC it to the core-update maintainers?
Thanks!


Cheers,
Bruno

Added tag(s) security. Request was from Bruno Victal <mirai@makinata.eu> to control@debbugs.gnu.org. (Tue, 04 Apr 2023 13:32:02 GMT) (full text, mbox, link).

Information forwarded to guix-patches@gnu.org:
bug#49817; Package guix-patches. (Wed, 05 Apr 2023 08:47:02 GMT) (full text, mbox, link).

Message #19 received at 49817@debbugs.gnu.org (full text, mbox, reply):

From: Andreas Enge <andreas@enge.fr>
To: Felix Lechner <felix.lechner@lease-up.com>
Cc: guix-devel@gnu.org, 49817@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Date: Wed, 5 Apr 2023 10:46:05 +0200
Am Tue, Apr 04, 2023 at 08:13:19PM -0700 schrieb Felix Lechner via Development of GNU Guix and the GNU System distribution.:
> On Tue, Apr 4, 2023 at 7:49 PM Leo Famulari <leo@famulari.name> wrote:
> > See <https://issues.guix.gnu.org/issue/49817>, which was never applied
> > anywhere.
> > I guess it's enough to update libsndfile to 1.1.0 on core-updates.
> The upstream commit [2] shows that the issue was fixed in libsndfile's
> master branch as part of their merge request #713, which made it into
> these versions:
> 1.2.0
> 1.1.0
> 1.1.0beta2
> 1.1.0beta1
> It may therefore be better to upgrade directly to 1.2.0, except I
> think there was an understanding that no new features should be
> allowed on our core-updates branch at this time.

Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
like it is in fact only a bugfix release, so I took the risk to update to
this latest version. pulseaudio still compiles, and pavucontrol still works
on my machine.

The update is pushed to core-updates, but I would suggest to keep the bug
open until it is merged to master.

Thanks for the heads-up!

Andreas

Information forwarded to guix-patches@gnu.org:
bug#49817; Package guix-patches. (Wed, 05 Apr 2023 15:55:02 GMT) (full text, mbox, link).

Message #22 received at 49817@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org, 49817@debbugs.gnu.org, Felix Lechner <felix.lechner@lease-up.com>
Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Date: Wed, 5 Apr 2023 11:54:13 -0400
On Wed, Apr 05, 2023 at 10:46:05AM +0200, Andreas Enge wrote:
> Well, an update causes a lot of rebuilds anyway. The NEWS of 1.2.0 look
> like it is in fact only a bugfix release, so I took the risk to update to
> this latest version. pulseaudio still compiles, and pavucontrol still works
> on my machine.
> 
> The update is pushed to core-updates, but I would suggest to keep the bug
> open until it is merged to master.

Thank you Andreas!

Information forwarded to guix-patches@gnu.org:
bug#49817; Package guix-patches. (Wed, 05 Apr 2023 16:21:01 GMT) (full text, mbox, link).

Message #25 received at 49817@debbugs.gnu.org (full text, mbox, reply):

From: Felix Lechner <felix.lechner@lease-up.com>
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org, 49817@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Date: Wed, 5 Apr 2023 09:19:43 -0700
Hi everyone,

On Wed, Apr 5, 2023 at 1:46 AM Andreas Enge <andreas@enge.fr> wrote:
>
> I would suggest to keep the bug
> open until it is merged to master.

Do we have a hook that closes such bugs automatically via instructions
in commit messages?

If not, I'd be happy to look into writing such a thing. It would also
help to tie commits to bug reports, which can be good for research
after the fact.

Kind regards,
Felix

Reply sent to Andreas Enge <andreas@enge.fr>:
You have taken responsibility. (Tue, 25 Apr 2023 13:51:02 GMT) (full text, mbox, link).

Notification sent to Leo Famulari <leo@famulari.name>:
bug acknowledged by developer. (Tue, 25 Apr 2023 13:51:02 GMT) (full text, mbox, link).

Message #30 received at 49817-done@debbugs.gnu.org (full text, mbox, reply):

From: Andreas Enge <andreas@enge.fr>
To: Felix Lechner <felix.lechner@lease-up.com>
Cc: 49817-done@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Subject: Re: [core-updates] It would be nice to fix libsndfile CVE-2021-3246 (arbitrary code execution via crafted WAV file)
Date: Tue, 25 Apr 2023 15:50:44 +0200
Merged to master.

Andreas

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Wed, 24 May 2023 11:24:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 16:49:44 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.